Blog

The 7 principles of privacy by design

The concept of Privacy by Design was built upon seven core principles that can help guide you when incorporating privacy into your business's daily activities

Robb Hiscock
Senior Content Marketing Specialist, CIPP/E, CIPM
July 11, 2023

Blue and violet gradient background

Learn more about ISO 37001-1:2023 on Privacy by Design at the blog here.

According to Pew Research Center, 81% of Americans say the risks of data collection by companies outweigh the positives. And 72% say there’s little-to-no benefits they can see from these data processing activities.

With statistics like these, preserving your customers’ freedom of choice and control over their data is no longer a secondhand consideration. The onus is on companies to prioritize Privacy by Design.

What is Privacy by Design?

Privacy by Design means privacy is seamlessly integrated into products, services, and system designs by default. Protecting customer data becomes a guiding force in the user experience, taking the same level of importance as functionality. Privacy by Design principles may apply to entire information processes, including:

  • System designs
  • Organizational priorities
  • Project objectives
  • Standards and protocols
  • Business practices

Privacy by Design is a holistic approach to privacy that encompasses 7 foundational principles:

  1. Proactive not Reactive; Preventative not Remedial
  2. Privacy as the Default Setting
  3. Privacy Embedded into Design
  4. Full Functionality — Positive-Sum, not Zero-Sum
  5. End-to-End Security — Lifecycle Protection
  6. Visibility and Transparency – Keep it Open
  7. Respect for User Privacy – Keep it User-Centric

Executives, marketers, designers, and other stakeholders at your company should read, understand, and incorporate these principles into the company’s daily activities.

Learn more about ISO 37001-1:2023 on Privacy by Design at the blog here

Principle 1: Proactive not reactive; preventative not remedial

A privacy-first attitude will naturally support a preventative approach to privacy. Instead of reacting to privacy risks or invasions when they happen, companies will actively build processes and procedures to prevent them from occurring in the first place.

Principal 2: Privacy as the default setting

Users shouldn’t have to worry about their privacy settings when browsing a website, opening an app, or logging into software. Privacy as Default ensures they don’t have to. It automatically sets users’ privacy to the highest level of protection, whether or not a user interacts with those settings. Such default settings, include, among others:

  • Collection limitation: You only collect the amount and types of data you’re legally allowed to.
  • Data minimization: You collect only the absolute minimum amount of data necessary. You won’t collect data just for the sake of collection or because you can.
  • Use, retention & disclosure limitation: You won’t use the collected data for any other purpose than to which the user has agreed. You won’t keep data after it’s no longer needed for the purposes you stated to users.  And you won’t disclose the data unless necessary to achieve the purpose for which it was collected.
  • Security: You implement appropriate technical and organizational measures, e.g., encryption, to ensure the confidentiality, integrity, and availability of the personal data

Principle 3: Privacy embedded into design

Protecting users’ data and privacy should now be a part of the conversation when building a website, a mobile app, or a software application. For embedded privacy to work, it can’t just be a feature tacked on at the end. It also can’t be obvious or awkwardly included so as to detract from the functionality of the program you’re designing. Every decision and new process must be filtered through a privacy-first mindset to promote both functionality and privacy protection.

Principle 4: Full functionality — positive-sum, not zero-sum

A fatalistic attitude won’t work with Privacy by Design. Those who argue trade-offs must be made with the user experience or with security protocols have a zero-sum attitude. Those who work to integrate privacy into every design element seamlessly take a positive-sum approach. And it’s these innovators who will see their brands grow in a world where privacy is increasingly a market mover, not just an issue of legal compliance.

Principle 5: End-to-end security — Lifecycle protection

From the point at which users provide personal data, to when it can be destroyed after serving its purpose  — and everything in between — Privacy by Design ensures the security of this data through the processing lifecycle. This full lifecycle protection is where the interdisciplinary nature of Privacy by Design shines. It leans heavily on security best practices to provide end-to-end data protection. Security also ensures data remains confidential, true to its original form, and accessible during its time with the company.

Principle 6: Visibility and transparency – keep it open

Openness with users about your privacy policies and procedures will build accountability and trust. Privacy by Design means documenting and communicating actions clearly, consistently, and transparently. It presents a shared attitude of privacy as a duty, and one your team takes seriously. That promise should be supported by an accessible and effective complaint submission and resolution process, as well as independent verification of your policies and promises to users.

Principle 7: Respect for user privacy – Keep it user-centric

A respect for user privacy involves always having the users’ privacy interests in mind and providing the necessary safeguards and features to protect such interests. This respect inspires every design decision. And it understands the best user experience puts privacy first. This includes putting the power in the hands of the user to manage their own data, actively seeking their engagement in the process.

Learn more about ISO 37001-1:2023 on Privacy by Design at the blog here

Conclusion: Privacy by Design is in your future

The demand for data protection and privacy rights of users should compel companies to establish a Privacy by Design culture.

Companies that collect personal data have the legal responsibility to manage it safely and securely and in compliance with applicable laws. However, the increased value consumers themselves are placing on their data means that companies should provide additional assurance by making Privacy by Design. With Privacy by Design as their default operation conditions, companies can better ensure privacy and give users more control over their data.

Even companies with the best intentions for using Privacy by Design can struggle to implement it completely, though. Innovation creates changes that are almost impossible to keep up with. New systems are more and more complex.

You can’t implement Privacy by Design without the help of privacy management software.

The OneTrust Privacy & Data Governance Cloud is designed to automate all the aspects of Privacy by Design for your organization. From privacy impact assessments, to identifying and mitigating risks and every other privacy best practice in between, our privacy management software can help you create an integrated environment of privacy protection by default.


You may also like

Webinar

Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more

Webinar

Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more

Webinar

Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more